Skip to content

The Ultimate Security Checklist for Cursor, Claude & Lovable Apps

Each AI coding tool leaves a slightly different security footprint. Here's the checklist broken down by platform, so you know exactly what to check for the tool you're actually using.

Cursor

Full-stack code generation means more surface area — auth middleware, database queries, payment integrations.

  • Verify every hallucinated-looking npm package actually exists and matches the expected author
  • Grep deployed JS bundles for sk_live, sk-proj, or any server-only key
  • Test every /admin and /api/admin/* route with no session — should 401/403, not redirect
  • Confirm SQL queries use parameterization, not string concatenation

Claude Code

Strong at following explicit instructions — which means security requirements left unstated are the ones most likely to be missing.

  • If you didn't explicitly ask for rate limiting on an AI/LLM endpoint, assume it isn't there
  • Check that max_tokens is set on every API call — unbounded generations are a cost and abuse vector
  • Confirm user input isn't concatenated directly into system prompts (prompt injection)
  • Review any auth middleware Claude generated line by line — it will follow the spec you gave it exactly, including any gap in that spec

Lovable

Ships fast on top of Supabase — which means Supabase misconfiguration is the dominant risk category.

  • Enable Row Level Security on every table — Lovable does not do this by default
  • Check for USING (true) policies that unintentionally allow unrestricted reads
  • Confirm the Supabase service role key is never exposed to the client — only the anon key should appear in bundles
  • Test the anon key directly against your REST API — can it read tables it shouldn't?

What's common to all three

  • No HTTP security headers by default — CSP, HSTS, X-Frame-Options must be added manually
  • Payment webhook handlers rarely verify signatures unless explicitly told to
  • None of the three tools run an adversarial test on their own output — that requires a separate pass, see AI Pentesting

Run this checklist automatically, whichever tool you used.

Scan My App →

Related articles

The Ultimate Security Checklist for Cursor, Claude & Lovable Apps | Vezraa